.TH F2FSCRYPT 8
.SH NAME
f2fscrypt \- f2fs filesystem encryption utility
.SH SYNOPSIS
.B f2fscrypt add_key -S \fR[\fB -k \fIkeyring\fR ] [\fB-v\fR] [\fB-q\fR] [ \fI path\fR ... ]
.br
.B f2fscrypt new_session
.br
.B f2fscrypt get_policy \fIpath\fR ...
.br
.B f2fscrypt set_policy \fIpolicy path\fR ...
.SH DESCRIPTION
.B f2fscrypt
performs encryption management for f2fs file systems.
.SH COMMANDS
.TP
.B f2fscrypt add_key -S \fR[\fB -k \fIkeyring\fR ] [\fB-v\fR] [\fB-q\fR] [ \fI path\fR ... ]
Prompts the user for a passphrase and inserts it into the specified
keyring.  If no keyring is specified, f2fscrypt will use the session
keyring if it exists or the user session keyring if it does not.
.IP
If one or more directory paths are specified, f2fscrypt will try to
set the policy of those directories to use the key just entered by
the user.
.TP
.B f2fscrypt get_policy \fIpath\fR ...
Print the policy for the directories specified on the command line.
.TP
.B f2fscrypt new_session
Give the invoking process (typically a shell) a new session keyring,
discarding its old session keyring.
.TP
.B f2fscrypt set_policy \fIpolicy path\fR ...
Sets the policy for the directories specified on the command line.
All directories must be empty to set the policy; if the directory
already has a policy established, f2fscrypt will validate that the
policy matches what was specified.  A policy is an encryption key
identifier consisting of 16 hexadecimal characters.
.SH NOTES
The target directory must be empty.
.SH EXAMPLE
.nf
Formats a f2fs filesystem that supports encrypt.

.ft R
# mkfs.f2fs -O encrypt /dev/sdxx
# mount /dev/sdxx /encrypted/
# mkdir /encrypted/dir

.nf
First create the key in the keyring use an simple salt
(or generate a random salt).
Then use it to set the policy for the directory to be encrypted.

.ft R
# f2fscrypt add_key -S 0x1234
  Enter passphrase (echo disabled):
  Added key with descriptor [28e21cc0c4393da1]

# f2fscrypt set_policy 28e21cc0c4393da1 /encrypted/dir
  Key with descriptor [28e21cc0c4393da1] applied to /encrypted/dir.

# touch /encrypted/dir/test.txt
# ls -l /encrypted/dir/
  -rw-r--r--. 1 root root 0 Mar  5 21:41 test.txt

.nf
After each reboot, the same command can be used set the key for
decryption of the directory and its descendants.

.ft R
# ls -l /encrypted/dir/
  -rw-r--r--. 1 root root 0 Mar  5 21:41 zbx7tsUEMLzh+AUVMkQcnB

# f2fscrypt get_policy /encrypted/dir/
  /encrypted/dir/: 28e21cc0c4393da1

# f2fscrypt add_key -S 0x1234
  Enter passphrase (echo disabled):
  Added key with descriptor [28e21cc0c4393da1]

# ls -l /encrypted/dir/
  -rw-r--r--. 1 root root 0 Mar  5 21:41 test.txt

.nf
Show process keyrings.

.ft R
# keyctl show
  Session Keyring
    84022412 --alswrv      0     0  keyring: _ses
   204615789 --alswrv      0 65534   \\_ keyring: _uid.0
   529474961 --alsw-v      0     0   \\_ logon: f2fs:28e21cc0c4393da1

.SH AUTHOR
Written by Kinglong Mee <kinglongmee@gmail.com>,
Migrated from e4crypt that Written by Michael Halcrow <mhalcrow@google.com>,
Ildar Muslukhov <muslukhovi@gmail.com>, and Theodore Ts'o <tytso@mit.edu>
.SH SEE ALSO
.BR keyctl (1),
.BR mkfs.f2fs (8),
.BR mount (8).
